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3Jb 



CLAIMS 



A system for detecting intrusions, comprising: 
an analysis engine; and 
at least one sensor, configured to commimicate with the analysis engine using at 
least one meta-protocol including a 4-tuple. 



2. The system as recited in claim 1, wherein the meta-protocol includes a data 
packet, and the data packet includes the 4-tuple. 




10 3. The system as recited in clainVl^herein the 4-tuple describes a data item 



4. The system as recited in claim 3, wherein the 4-tuple comprises a semantic type, 



data type, data type size, and 



15 5 . The system as recitec 

the data item to detect an intusion 



6. The system as recited 
communicate with the analy 



20 



value of the data item. 



in claim 4, wherein the analysis engine is configured to use 



>is 



in claim 1, wherein the at least one sensor is configured to 
engine using a plurality of meta-protocols. 



7. The system as reciteq in claim 6, wherein each of the plurality of meta-protocols 
includes a 4-tuple. 
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8. The system as recited in claim 6, wherein the analysis engine is configured to 
invoke the at least one sensor and specify a ^t of meta-protocols supported by the 
analysis engine, and wherein the at least on^ sensor is configured to select a meta- 
protocol from the set. 

9. The system as recited in claim 8, >^herein the set is a null set, and the at least one 
sensor is configured to use a default protocol 



il 10 10. The system as recited in claim Ij, wherein the analysis engine is configured to 

Li 



specify a set of semantic codes representing data being requested by the analysis engine. 



1 1 . The system as recited in claim 
supply data associated with the 
1 5 further supplies data not associated 



10, wherein the at least one sensor is configured to 
semantic codes, and wherein the at least one sensor 
the semantic codes. 



12. The system as recited in 
disregard the data not associated wi 



withi 



claiifn 11, wherein the analysis engine is configured to 
with the semantic codes. 



20 13. The system as recited in cla 
and the at least one sensor is 



m 10, wherein the set of semantic codes is a null set, 
configured to use a default set of semantic codes. 
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14. The system as recited in claim 1, wherein the analysis engine is located on a first 
host and an instance of the at least one sensor /s located on a second host apart from the 
first host. 

5 15. The system as recited in claim 14, oomprising a second instance of the at least one 
sensor, wherein the second instance is located on a host apart from the second host. 



16. The system as recited in claim 1, /wherein the at least one sensor includes a sensor 
collector in communication with the analysis engine. 

10 

17. The system as recited in claim k , fiirther comprising a sensor collector disposed in 
a communication path between the analysis engine and the at least one sensor. 

18. The system as recited in claim 1, wherein the analysis engine is configured to load 
15 a rule set while the analysis engine As in operation. 



20 



19. The system as recited in claim 1, fiirther comprising a second sensor, and wherein 



the analysis engine is configured 
analysis engine is in operation 



20. The system as recited in 
interactions of data from the 



to load a rule set for the second sensor while the 



claim 19, wherein the rule set is configured to specify 
sedond sensor with data from the at least one sensor. 



\ 
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21 . The system as recited in claim 20, wherein the analysis engine is configured to 
ignore rules in the rule set that specify data not supplied by any sensor. 

22. A method for detecting intrusions, comprising the steps of: 
providing an analysis engine; 

providing at least one apnsor; and 

defining a meta-protodol including a 4-tuple for communication between the 
analysis engine amd the at least one sensor. 

23. A computer program product for detecting intrusions on a host, the computer 
program product being empodied in a computer readable medium having machine 
readable code embodied tmerein for performing the steps of: 

providing an analysis engine; 
providing at least /one sensor; and 

defining a meta-protocol including a 4-tuple for communication between the 
analysis engine and the at least one sensor. 

v 
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